Reposilite Lightweight and easy-to-use repository manager for Maven-based artifacts in the JVM ecosystem. This is a simple, extensible and scalable self-hosted solution that replaces managers like Nexus, Archiva or Artifactory, with reduced resource consumption. https://github.com/dzikoysk/reposilite This is not my project, but I just want to call out an awesome, sorely needed open source project that we've used for a while and I think others would benefit from. @dzikoysk has done an amazing job with this and it is a fantastic example of Kotlin in dev ops and the server.

Is there any option to have private artefacts with auth? Because we started developing one internally for this reason a few months ago (with very basic features, just for our needs)

Yes, we have auth on all our repos with it and use it to proxy all artifacts. Everything we use goes through reposilite.

We started working on this a few months ago, it works but it has no ui for example 🤷‍♂️ https://github.com/guimauvedigital/pkg

Awesome. Maybe check out reposilite and see what you think then. If I remember correctly, the creator was open and hoping others would extend it for other package systems. We need go, rust, and js (npm) packages in particular, but haven't found the time to write the storage side from scratch yet. You've obviously done that here for npm, python, and maven, so maybe it makes sense to bring the npm / python implementations to reposilite if you end up liking it. We are currently using gitea for our npm and go packages which isn't a bad solution either. Gitea has been great from a source code / git perspective.

I’ll take a deeper look and maybe we’ll switch. Thank you for answering the questions!

Nice, looks like from our usage I'm missing only dependencies scan

Actually with the repository proxy feature, do you think it’s possible to migrate proxying the old repository? I mean, if it caches the proxied resource can we safely remove the old one after that?

@Nathan Fallet Yes. We did the same with an old artifactory instance and even migrated its storage folder over. I just looked and we still have it there resolving though we don't use it anymore lol. Just be sure to backup in case you clear the cache or anything during an upgrade of course. @Eugen Martynov I agree but the author is very open to improvements and I agree that would be nice. We originally started using it in the hopes of helping with functionality like this and identifying if we are using any sensitive dependency with a quick search. We even have a gradle plugin that enforces our repos based on workspace folders and auto loads a our internal gradle plugins to auto configure publishing, etc. It's made starting a new project way simpler for us.

I see it supports plugins, so probably possible to write a plugin to do at least OWASP check

If either of you pick this up and look to do any work on it, let me know. We are in a balancing act with the effort we can put in, but with either of you in on a feature we agree on it would be a pleasure to pitch in with you.

If we migrate to it, I already have ideas of plugins (things I wanted to integrate in my own as features)